[OpenID] Combining Google & Yahoo user experience research
Allen Tom
atom at yahoo-inc.com
Tue Oct 14 06:56:29 UTC 2008
Chris Messina wrote:
> So many sites (in the wild) now immediately ask you for your email
> address after you sign up with OpenID that it seems counter-productive
> NOT to support email addresses... especially since they often require
> you to confirm your email address via token (which, if it were part of
> the OpenID spec, could be done entirely within the browser).
+1
I think there's a very interesting opportunity to use OpenID as a
browser based email verification protocol. The emphasis is on verifying
the user's email, not signing in. There are plenty of use cases where
websites need a verified email address, and OpenID could be used to
streamline this process and to increase the success rate. (many studies
show that there is a huge failure rate for email verification)
For instance, many websites require a verified email address to
register. This process could be greatly streamlined using OpenID if the
RP trusted the OP to verify the user's email address. This would not
require the site to "accept" OpenID for SSO, but it does allow the site
to streamline its existing registration process.
Another scenario is the password reset use case. Many websites will
reset a password by sending a secret to the user's verified email. This
process could be streamlined by allowing the password to reset if the
user is able to generate an OpenID assertion for the email address.
Obviously, the RP *really* needs to trust the OP in this case.
Websites that want to accept OpenID already have an existing
Login/Registration/PasswordRecovery system, and they need to graft
OpenID on top of it. Defining a new "Email Verification" use case that
is strictly focused on email verification could be the way that we get
OpenID in the door, as implementing a light weight email verification
protocol (and not SSO) is probably a pretty easy sell, assuming that the
email verification UX is much better than actually emailing a secret to
the user.
As far as privacy is concerned, again, this is an email verification
protocol, so the user is already giving their email address to the RP
for the purposes of having it verified.
Allen
More information about the general
mailing list